Cloudflare Docs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Add CAA records

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For additional security, set up Certificate Transparency Monitoring as well.

​​ Who should create CAA records?

You should create CAA records in Cloudflare if each of the following is true:

  • You uploaded your own custom origin server certificate (not provisioned by Cloudflare).
  • That certificate was issued by a CA (not self-signed).
  • Your domain is on a full setup (not a CNAME setup).
  • When adding new Custom Hostname and your customer has existing CAA records. In this case, ask your customer to remove the existing CAA records or add the missing CAA record.

​​ CAA records added by Cloudflare

Cloudflare adds CAA records automatically in two situations:

These records make sure Cloudflare can still issue Universal certificates on your behalf.

If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing with your own domain on Cloudflare):

➜ ~ dig caa +short
# CAA records added by DigiCert
0 issue "; cansignhttpexchanges=yes"
0 issuewild "; cansignhttpexchanges=yes"
# CAA records added by Sectigo
0 issue ""
0 issuewild ""
# CAA records added by Let's Encrypt
0 issue ""
0 issuewild ""
# CAA records added by Google Trust Services
0 issue "; cansignhttpexchanges=yes"
0 issuewild "; cansignhttpexchanges=yes"

​​ Create CAA records

Create a CAA record for each Certificate Authority (CA) that you plan to use for your domain.

To add a CAA record in the dashboard,

  1. Log in to the Cloudflare dashboard and select your account and application.
  2. Go to DNS > Records.
  3. Select Add record.
  4. For Type, select CAA.
  5. For Name, type your domain.
  6. Choose a Tag, which specifies the behavior associated with the record.
  7. For CA domain name, enter the CA name.
  8. Select Save.
  9. Repeat for each CA associated with your domain.
To create a CAA record via the API, use this POST endpoint.

Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.